Community

The FCA amendments to the open banking identification requirements have very clear next steps for both ASPSPs and TPPs.

 ASPSPs must assess what changes they need to make to their systems so they can accept at least one alternative form of digital certificate (in addition to eIDAS Certificates).  Any changes that need to be made must be implemented as soon as possible ahead of IP Completion Day. They also need to tell TPPs which alternative certificates they will accept as early as possible.

The amendments also clearly state that ASPSPs, without causing an obstacle, must “verify that the payment service provider is authorised or registered to perform the payment services relevant to its activities”.

For TPPs, the guidance is much simpler.  If their eIDAS certificates are likely to be revoked, they must have an alternative certificate(s) as soon as possible ahead of IP Completion Day.

As the ING study states, the success of open banking is largely down to convenience and trust, with trust being the determining factor.  The security involved in accessing data is critical to get right and the risks are high.

So, what are the risks for those involved?  For the customer they’re low.  However, for Financial Institutions the risks are high.  There are new players - third-party providers (TPPs) involved, and valuable consumer data being exchanged.  Once the account holder has given permission for their data to be shared with a TPP, it’s the responsibility of the Financial Institution to ensure nothing goes wrong. 

However, it’s complex and time consuming to identify these third parties, check they’re authorised to provide the services being requested and, to find the relevant passporting information.   All this needs to be determined at the time of the transaction request.

To verify a TPP’s identity and know its latest authorisation status, there are over 70 Qualified Trust Service Provider (QTSP) certificate revocation lists and 115 National Competent Authority (NCA) registers from across the EEA that need to be accessed to find this information.  Knowing how to interpret and standardise the data presents additional issues. Different languages, duplicated entries and missing information are just some of the issues that need to be taken into consideration.

It’s also important to ensure all checks and due diligence are performed using the latest available source data provided by the relevant National Competent Authorities.  If there is a disputed transaction or issue, the Financial Institution needs to be able to show it has used the relevant source data or face being liable for the transaction.  

With open banking services set to increase which will drive greater transaction volumes, data security and trust in the open banking ecosystem are paramount – without them customer loyalty and trust will quickly be lost.  

This is an excellent article that lays out some of the key challenges are risk and liabilities.  It talks about banks investigating to see if insurance covers them for cyber-crime risk but in my view misses one key aspect of the whole process.  Checking to see if the TPP is both valid and regulated.  The challenge is there is no central government database that covers both eIDAS certificates, passporting and regulated status.  Even for the regulated status check the only central database offered by the EBA, not only does it not include banks (Credit Institutions), but states on the home page: users of the register should be aware that there may be a discrepancy between the information contained on the file and the information contained on the actual register’ or in other words it may not be accurate. 

To complicate matters still further we have seen some National Competent Authorities have introduced a new class of ‘suspension’ in that the party is still regulated and would appear on the EBA database as regulated, but in reality, has been suspended from carrying out regulated activity.  The risk here to banks of course is significant as if they provide data to unregulated TPPs or TPPs not regulated for that data i.e. AISP/PISP then they leave themselves open not just to the financial cost but also reputational issues and the effect this may have on customer trust.

A number of private companies such as Konsentus and PRETA have stepped into this void and created accurate NCA registries that banks can use to check data.  Konsentus even cover both eIDAS and NCA data as well as offering insurance for the banks.